How to break multiple values of a column into new column name?
Swipe_Entry_Type
In
In
In
Out
Out
Out
Swipe_Entry_Type_In
In
In
In
Swipe_Entry_Type_Out
Out
Out
Out
Try like this
your current search giving fields Swipe_Entry_Type,Swipe_Time,Department,Student,Name
| eval Swipe_Entry_In=if(Swipe_Entry_Type="In",Swipe_Entry_Type,null())
| eval Swipe_Entry_Out=if(Swipe_Entry_Type="Out",Swipe_Entry_Type,null())
| stats values(Swipe_Entry_In) as Swipe_Entry_In values(Swipe_Entry_Out) as Swipe_Entry_Out by Department,Student,Name
| table Name Swipe_Entry_In Swipe_Entry_Out Department Student
I want to convert Swipe_Time into Swipe_Time_In and Swipe_Time_Out based on the values
Swipe_Entry_Type,Swipe_Time,Department,Student,Name
In,2015-07-28 09:00:01 AM,CSE,CB049201,Sumanth
In,2015-07-28 09:00:01 AM,CSE,CB049202,Ramya
Out,2015-07-28 05:08:01 PM,CSE,CB049201,Sumanth
Out,2015-07-28 05:08:01 PM,CSE,CB049202,Ramya
if it is AM then new column as Swipe_Time_In and if it is PM then new column as Swipe_Time_Out
Try this
base search | mvexpand Swipe_Entry_Type | stats values(eval(Swipe_Entry_Type="In")) as Swipe_Entry_Type_In values(eval(Swipe_Entry_Type="Out")) as Swipe_Entry_Type_Out | table Swipe_Entry_Type_In Swipe_Entry_Type_Out
Is Swipe_Entry_Type a multivalued field OR regular fields (single value per row). Share the query which is getting you this.
My Input:
Swipe_Entry_Type,Swipe_Time,Department,Student,Name
In,2015-07-28 09:00:01 AM,CSE,CB049201,Sumanth
In,2015-07-28 09:00:01 AM,CSE,CB049202,Ramya
Out,2015-07-28 05:08:01 PM,CSE,CB049201,Sumanth
Out,2015-07-28 05:08:01 PM,CSE,CB049202,Ramya
output should be
Name Swipe_Entry_In Swipe_Entry_Out Time_Entry_In Time_entry_Out Department Student
Sumanth In Out Time Tine CSE CB049201